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       A number of myths have surfaced about the threat of computer
       "viruses."  There are myths about how widespread they are, how
       dangerous they are, and even myths about what a computer virus
       really is.  We want you to know the facts.

       The first thing you need to learn is that a computer virus falls
       in the realm of malicious programming techniques known as "Trojan
       horses."  All viruses are Trojan horses, but relatively few
       Trojan horses can be called a virus.

       That having been said, it's time to go over the terminology we
       use when we lecture:

          BBS         Bulletin Board System.  If you have a modem, you
                      can call a BBS and leave messages, transfer com-
                      puter files back & forth, and learn a lot about
                      computers.  (What you're reading right now, for
                      example, most likely came to you from a BBS.)

          Bug         an accidental flaw in the logic of a program which
                      makes it do things it shouldn't be doing.  Pro-
                      grammers don't mean to put bugs in their programs,
                      but they always creep in.  Programmers often spend
                      more time "debugging" programs than they do
                      writing them in the first place.  Inadvertent bugs
                      have caused more data loss than all viruses
                      combined.

          Hacker      someone who really loves computers and who wants
                      to push them to the limit.  Hackers have a healthy
                      sense of curiosity: they try doorknobs just to see
                      if they're locked, for example.  They also love to
                      tinker with a piece of equipment until it's "just
                      right."  The entire computer revolution itself is
                      largely a result of hackers.

          Shareware   a distribution method for quality software avail-
                      able on a "try before you buy" basis.  You must
                      pay for it if you continue using it after the
                      trial period.  Shareware authors let you download
                      their programs from BBSs and encourage you to give
                      evaluation copies to friends.  Many shareware
                      applications rival their retail-shelf counterparts
                      at a fraction of the price.  (You must pay for the
                      shareware you continue to use -- otherwise you're
                      stealing software.)



       (c) 1988,93 Rob Rosenberger & Ross M. Greenberg      Page 1 of 10

          Trojan
          horse       a generic term describing a set of computer
                      instructions purposely hidden inside a program.
                      Trojan horses tell programs to do things you don't
                      expect them to do.  The term comes from the legen-
                      dary battle in which the ancient city of Troy
                      received a large wooden horse to commemorate a
                      fierce battle.  The "gift" secretly held enemy
                      soldiers in its belly and, when the Trojans rolled
                      it into their fortified city, ....

          Virus       a term for a very specialized Trojan horse which
                      spreads to other computers by secretly "infecting"
                      programs with a copy of itself.  A virus is the
                      only type of Trojan horse which is contagious,
                      much like the common cold.  If a Trojan horse
                      doesn't meet this definition, then it isn't
                      a virus.

          Worm        a term similar to a Trojan horse, but there is no
                      "gift" involved.  If the Trojans had left that
                      wooden horse outside the city, they wouldn't have
                      been attacked from inside the city.  Worms, on the
                      other hand, can bypass your defenses without
                      having to deceive you into dropping your guard.
                      An example would be a program designed to spread
                      itself by exploiting bugs in a network software
                      package.  Worms usually come from someone who has
                      legitimate access to the computer or network.

          Wormers     what we call people who unleash Trojan horses onto
                      an unsuspecting public.  Let's face it, these
                      people aren't angels.  What they do hurts us.
                      They deserve our disrespect.

       Viruses, like all Trojan horses, purposely make a program do
       things you don't expect it to do.  Some viruses will just annoy
       you, perhaps only displaying a "Peace on earth" greeting.  The
       viruses we worry about will try to erase your data (the most
       valuable asset of your computer!) and waste your valuable time in
       recovering from an attack.

       Now you know the differences between a bug and a Trojan horse and
       a virus.  Let's get into some of the myths:

       "All purposely destructive code spreads like a virus."
          Wrong.  Remember, "Trojan horse" describes purposely destruc-
       tive code in general.  Very few Trojan horses actually qualify as
       viruses.  Newspaper & magazine reporters tend to call almost any-
       thing a virus because they often have no real understanding of
       computer crime.
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       "Viruses and Trojan horses are a recent phenomenon."
          Trojan horses have existed since the first days of the com-
       puter; hackers toyed with viruses in the early 1960s as a form of
       amusement.  Many different Trojan horse techniques have emerged
       over the decades to embezzle money, destroy data, fool investors,
       etc.  The general public really didn't know of this problem until
       the IBM PC revolution brought it into the spotlight.  Banks still
       hush up computerized embezzlements to this day because they
       believe customers will lose faith in them if word gets out.

       "Viruses are written by teenage hackers."
          Yes, hackers have unleashed viruses -- but so has a computer
       magazine publisher.  And according to one trusted military publi-
       cation, the U.S. Defense Department creates computer viruses for
       use as weapons.  Trojan horses for many decades sprang from the
       minds of middle-aged men; computer prices have only recently
       dropped to a level where teenagers could get into the act.  We
       call people "wormers" when they abuse their knowledge of com-
       puters.
          You shouldn't fear hackers just because some of them know how
       to write viruses.  This whole thing boils down to an ethics
       issue, not a technology issue.  Hackers know a lot about com-
       puters; wormers abuse their knowledge.  Hackers as a whole got a
       bum rap when the mass media corrupted the term.

       "Viruses infect 25% of all IBM PCs every month."
          If 25% suffer an infection every month, then 100% would have a
       virus every four months -- in other words, every IBM PC would
       suffer an infection three times per year.  This mythical estimate
       surfaced in the media after researcher Peter Tippett wrote a com-
       plex thesis on how viruses might spread in the future.
          Computer viruses exist all over the planet, yes -- but they
       won't take over the world.  Only about 500 different viruses
       exist at this time; many of them have never existed "in the wild"
       and some have since been completely eliminated "from the wild."
       You can easily reduce your exposure to viruses with a few simple
       precautions.  Yes, it's still safe to turn on your computer!

       "Only 500 different viruses?  But most experts talk about them in
       the thousands."
          The virus experts who claim much larger numbers usually work
       for antivirus companies.  They count even the most insignificant
       variations for advertising purposes.  When the Marijuana virus
       first appeared, for example, it contained the word "legalise,"
       but a miscreant later modified it to read "legalize."  Any pro-
       gram which can detect the original virus can detect the version
       with one letter changed -- but antivirus companies count them as
       "two" viruses.  These obscure differentiations quickly add up.
          And take note: the majority of "new" computer viruses dis-
       covered these days are only minor variations on well-known
       viruses.
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       "A virus could destroy all the files on my disks."
          Yes, and a spilled cup of coffee could do the same thing.  You
       can recover from any virus or coffee problem if you have adequate
       backups of your data.  Backups mean the difference between a nui-
       sance and a disaster.  You can safely presume there has been more
       accidental loss of data than loss by all viruses and Trojan
       horses.

       "Viruses have been documented on over 300,000 computers {1988}."
       "Viruses have been documented on over 400,000 computers {1989}."
       "The Michelangelo virus alone was estimated to be on over
       5,000,000 computers {1992}."
          These numbers originated from John McAfee, a self-styled virus
       fighter who craves attention and media recognition.  If we assume
       it took him a mere five minutes to adequately document each viral
       infection, it would have taken four man-years of effort to docu-
       ment a problem only two years old by 1989.  We further assume
       McAfee's statements included every floppy disk ever infected up
       to that time by a virus, as well as every computer involved in
       the Christmas and InterNet worm attacks.  (Worms cannot be
       included in virus infection statistics.)
          McAfee prefers to "estimate" his totals these days and was
       widely quoted during the Michelangelo virus hysteria in early
       1992.  Let's do some estimating ourselves by assuming about 80
       million IBM PC-compatible computers around the world.  McAfee's
       estimate meant one out of every 16 of those computers not only
       had a virus of some type, it specifically had the Michelangelo
       virus.  Many other virus experts considered it an astronomical
       estimate based on the empirical evidence.

       "Viruses can hide inside a data file."
          Data files can't wreak havoc on your computer -- only an execu-
       table program file can do that (including the one that runs every
       time you turn on or reboot a computer).  If a virus infected a
       data file, it would be a wasted effort.  But let's be realistic:
       what you think is "data" may actually be an executable program
       file.  For example, a "batch file" on an IBM PC contains only
       text, yet DOS treats it just like an executable program.

       "Some viruses can completely hide themselves from all antivirus
       software, making them truly undetectable."
          This myth ironically surfaced when certain antivirus companies
       publicized how they could detect so-called "Mutation Engine"
       viruses.  The myth gained national exposure in early 1993 when
       the Associated Press printed excerpts from a new book about
       viruses.  Most viruses have a character-based "signature" which
       identifies it both to the virus (so it doesn't infect a program
       too many times) and to antivirus software (which uses the
       signature to detect the virus).  A Mutation Engine virus employs
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       an algorithm signature rather than a character-based signature --
       but it still has a unique, readily identifiable signature.
          The technique of using algorithm signatures really doesn't
       make it any harder to detect a virus.  You just have to do some
       calculations to know the correct signature -- no big deal for an
       antivirus program.

       "BBSs and shareware programs spread viruses."
          Here's another scary myth, this one spouted as gospel by many
       "experts" who claim to know how viruses spread.  "The truth,"
       says PC Magazine publisher Bill Machrone, "is that all major
       viruses to date were transmitted by [retail] packages and private
       mail systems, often in universities."  [PC Magazine, October 11,
       1988.]  What Machrone said back then still applies today.  Over
       50 retail companies have admitted spreading infected master disks
       to tens of thousands of customers since 1988 -- compared to only
       nine shareware authors who have spread viruses on master disks to
       less than 300 customers since 1990.
          Machrone goes on to say "bulletin boards and shareware authors
       work extraordinarily hard at policing themselves to keep viruses
       out."  Reputable sysops check every file for Trojan horses;
       nationwide sysop networks help spread the word about dangerous
       files.  Yes, you should beware of the software you get from BBSs
       and shareware authors, but you should also beware of retail soft-
       ware found on store shelves.
          By the way, many stores now routinely re-shrinkwrap returned
       software and put it on the shelf again.  Do you know for sure
       only you ever touched those master disks?

       "My computer could be infected if I call an infected BBS."
          BBSs can't write information on your disks -- the communica-
       tions software you use performs this task.  You can only transfer
       a dangerous file to your computer if you let your software do it.
          And there is no "300bps subcarrier" by which a virus can slip
       through a modem.  A joker who called himself Mike RoChenle
       ("micro channel," get it?) started this myth after leaving a
       techy-joke message on a public network.  Unfortunately, some
       highly respected journalists got taken in by the joke.

       "So-called `boot sector' viruses travel primarily in software
       downloaded from BBSs."
          This common myth -- touted as gospel even by "experts" --
       expounds on the supposed role bulletin boards play in spreading
       infections.  Boot sector viruses spread only if you directly copy
       an infected floppy disk, or if you try to "boot" a computer from
       an infected disk, or if you use a floppy in an infected computer.
       BBSs deal exclusively with program files and don't pass along
       copies of boot sectors.  Bulletin board users thus have a natural
       immunity to boot-sector viruses in downloaded software.  (And
       since the clear majority of infections stem from boot sector
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       viruses, this fact alone exonerates the BBS community as the so-
       called "primary" source for the spread of viruses.)
          We should make a special note about "dropper" programs
       developed by virus researchers as an easy way to transfer boot
       sector viruses among themselves.  Since they don't replicate,
       "dropper" programs don't qualify as viruses.  These programs have
       never appeared on BBSs to date and have no real use other than to
       transfer infected boot sectors.

       "My files are damaged, so it must have been a virus attack."
          It also could have happened because of a power flux, or static
       electricity, or a fingerprint on a floppy disk, or a bug in your
       software, or perhaps a simple error on your part.  Power
       failures, spilled cups of coffee, and user errors have destroyed
       more data than all viruses combined.

       "Donald Burleson was convicted of releasing a virus."
          Newspapers all over the country hailed a 1989 Texas computer
       crime trial as a "virus" trial.  The defendant, Donald Burleson,
       had released a destructive Trojan horse on his employer's main-
       frame computer.  The software in question couldn't spread to
       other computers, and prosecuting attorney Davis McCown claimed he
       "never brought up the word virus" during Burleson's trial.  So
       why did the media call it one?
         1. David Kinney, an expert witness testifying for the defense,
            claimed Burleson had unleashed a virus.  The prosecuting
            attorney didn't argue the point and we don't blame him --
            Kinney's claim may have actually swayed the jury to convict
            Burleson.
         2. McCown gave reporters the facts behind the case and let them
            come up with their own definitions.  The Associated Press
            and USA Today, among others, used such vague definitions
            that any program would have qualified as a virus.  If we
            applied their definitions to the medical world, we could
            safely label penicillin as a biological virus (which is, of
            course, absurd).

       "Robert Morris Jr. released a benign virus on a defense network."
          It supposedly may have been benign, but it wasn't a virus.
       Morris, the son of a chief computer scientist at the U.S.
       National Security Agency, decided one day to take advantage of
       bugs in the software which controls InterNet, a network the
       Defense Department often uses.  These tiny bugs let Morris send a
       worm throughout the network.  Among other things, the "InterNet
       worm" sent copies of itself to other computers -- and clogged the
       entire network in a matter of hours due to bugs in the worm
       module itself.  The press called it a "virus," like it called the
       1987 "Christmas worm" a virus, because it spread to other com-
       puters.  Yet Morris's work didn't infect any computers.  A
       few notes:
         1. Reporters finally started calling it a worm a year after the
            fact, but only because lawyers on both sides of the case
            constantly referred to it as a worm.
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         2. The worm operated only on Sun-3 & VAX computers which employ
            the UNIX operating system and which were specifically linked
            into InterNet at the time of the attack.
         3. The 6,200 affected computers cannot be counted in virus
            infection statistics (they weren't infected).
         4. It cost way less than $98 million to clean up the attack.
            An official Cornell University report claims John McAfee,
            the man behind this wild estimate, "was probably serving
            [him]self" in an effort to drum up business.  People
            familiar with the case estimated the final figure at
            slightly under $1 million.
         5. Yes, Morris could easily have added some infection code to
            make it both a worm and a virus if he'd had the urge.
         6. InterNet gurus have since fixed the bugs Morris exploited in
            the attack.
         7. Morris went on trial for launching the worm and received a
            federal conviction.  The Supreme Court refused to hear his
            case, so the conviction stands.

       "The U.S. government planted a virus in Iraqi military computers
       during the Gulf War."
          U.S. News & World Report in early 1992 claimed the National
       Security Agency had replaced a computer chip in a printer bound
       for Iraq just before the Gulf War with a secret computer chip
       containing a virus.  The magazine cited "two unidentified senior
       U.S. officials" as their source, saying "once the virus was in
       the [Iraqi computer] system, ...each time an Iraqi technician
       opened a `window' on his computer screen to access information,
       the contents of the screen simply vanished."
          Yet the USN&WR story shows amazing similarities to a 1991
       April Fool's joke published by InfoWorld magazine.  Most computer
       experts dismiss the USN&WR story as a hoax -- an "urban legend"
       innocently created by the InfoWorld joke.  Some notes:
         1. USN&WR continues to stand by its story, but did publish a
            "clarification" stating "it could not be confirmed that the
            [virus] was ultimately successful."  The editors broke with
            tradition by declining to print any letters readers had sub-
            mitted about it.
         2. Ted Koppel, a well-known American news anchor, opened one of
            his "Nightline" broadcasts with a report on the alleged
            virus.  Koppel's staff politely refers people to talk with
            USN&WR about the story's validity.
         3. InfoWorld didn't label their story as fiction, but the last
            paragraph identified it as an April Fool's joke.

       "Viruses can spread to all sorts of computers."
          The design of all Trojan horses limits them to a family of
       computers, something especially true for viruses.  A virus
       written for IBM PCs cannot infect an IBM 4300 series mainframe,
       nor can it infect a Commodore C64, nor can it infect an Apple
       Macintosh.
          But take note: some computers can now run software written for
       other types of computers.  An Apple Macintosh, with the right
       products, can run IBM PC software for example.  If one type of
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       computer can run software written for another type of computer,
       then it can also catch viruses written for the other type of com-
       puter.

       "My backups will be worthless if I back up a virus."
          No, they won't.  Let's suppose a virus does get backed up with
       your files.  You can restore important documents and databases
       and spreadsheets -- your valuable data -- without restoring an
       infected program.  You just reinstall the programs from master
       disks.  It's tedious work, but not as hard as some people claim.

       "Antivirus software will protect me from viruses."
          There is no such thing as a foolproof antivirus program.
       Viruses and other Trojan horses can be (and have been) designed
       to bypass them.  Antivirus products also can be tricky to use at
       times and they occasionally have bugs.  Always use a good set of
       backups as your first line of defense; rely on antivirus software
       only as a second line of defense.

       "Read-only files are safe from virus infections."
          This common myth among IBM PC users has appeared even in some
       computer magazines.  Supposedly, you can protect yourself by
       using the ATTRIB command to set the read-only attribute on pro-
       gram files.  Yet ATTRIB is software -- what it can do, a virus can
       undo.  The ATTRIB command cannot halt the spread of most viruses.

       "Viruses can infect files on write-protected floppy disks."
          Another common IBM PC myth.  If viruses can modify read-only
       files, people assume they can also modify files on write-pro-
       tected disks.  However, the disk drive itself knows when a floppy
       has a write-protect tab and refuses to write to the disk.  You
       can't override an IBM PC drive's write-protect sensor with a
       software command.



       We hope this dispels the many computer virus myths.  Viruses DO
       exist, they ARE out there, they WANT to spread to other com-
       puters, and they CAN cause you problems.  But you can defend
       yourself with a cool head and a good set of backups.

       The following guidelines can shield you from viruses and other
       Trojan horses.  They will lower your chances of getting infected
       and raise your chances of recovering from an attack.
         1. Implement a procedure to regularly back up your files and
            follow it religiously.  We can't emphasize this enough!
            Consider purchasing a user-friendly program or a tape backup
            device to take the drudgery out of this task.  You'll find
            plenty of inexpensive programs and tape backup hardware to
            choose from.
         2. Rotate between at least two sets of backups for better
            security (use set #1, then set #2, then set #1...).  The
            more sets you use, the better protection you have.  Many
            people take a "master" backup of their entire hard disk,
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            then take a number of "incremental" backups of files which
            have changed since the last time they backed up.  Incre-
            mental backups might only require five minutes of your time
            each day.
         3. Many IBM PC computers now have a "BIOS option" to ignore
            floppy drives during the bootup process.  Consult your com-
            puter's documentation to see if you can set this option.  It
            will greatly reduce your exposure to boot sector viruses
            (the most common type of computer virus).
         4. Download files only from reputable BBSs where the sysop
            checks every program for Trojan horses.  If you're still
            afraid, consider getting programs from a BBS or "disk
            vendor" company which obtains files direct from the authors.
         5. Let a newly uploaded file "mature" on a BBS for one or two
            weeks before you download it (others will put it through
            its paces).
         6. Consider using a program that searches ("scans") for known
            viruses.  Almost all infections involve viruses known to
            antivirus companies.  A recent version (no more than four
            months old) of any "scanning" program will in all proba-
            bility identify a virus before it can infect your computer.
            But remember: there is no perfect antivirus defense.
         7. Consider using a program that creates a unique "signature"
            of all the programs on your computer.  Run this software
            once in awhile to see if any of your program files have been
            modified -- either by a virus or perhaps just by a stray
            gamma ray.
         8. DON'T PANIC if your computer starts acting weird.  You might
            have a virus, but then again you might not.  Immediately
            turn off all power to your computer and disconnect it from
            any local area networks.  Reboot from a write-protected copy
            of your master DOS disk.  Don't run any programs on a "regu-
            lar" disk -- you might activate a Trojan horse.  If you don't
            have adequate backups, try to bring them up-to-date.  (Yes,
            you might back up a virus as well, but it can't hurt you if
            you don't use your normal programs.)  Set your backups off
            to the side.  Only then can you safely hunt for problems.
         9. If you can't figure out the problem and you don't know what
            to do next, just turn off your computer and call for help.
            Consider calling a local computer group before you call for
            an expert.  If you need a professional, consider a regular
            computer consultant first.  (Some "virus removal experts"
            charge prices far beyond their actual value.)

       We'd appreciate it if you would mail us a copy of any Trojan
       horse or virus you discover.  (Be careful you don't damage the
       data on your disks while trying to do this!)  Include as much
       information as you can and put a label on the disk saying it con-
       tains a malicious program.  Send it to Ross M. Greenberg, Soft-
       ware Concepts Design, Virus Acres, New Kingston, NY 12459.
       Thank you.
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         Ross M. Greenberg writes both shareware and retail virus
         detection & removal programs.  (Products aren't mentioned by
         name because this treatise isn't the place for advertise-
         ments.)  He serves as a sysop for the Virus & Security Round-
         Table on GEnie and is also currently working on a number of
         other products having nothing to do with computer viruses.

         Rob Rosenberger serves as lead sysop for CompuServe's SHARE-
         WARE forum.  He has researched computer virus myths & hoaxes
         since 1988.  His research on the cause of the Michelangelo
         virus scare of 1992 has been reprinted in ISPNews (a computer
         security industry newsletter); and he has consulted on com-
         puter virus & data security books written by Janet
         Endrijonas, Pamela Kane, and Richard B. Levin.

         These men communicated entirely by modem while writing this
         treatise.

                (c) 1988,93 Rob Rosenberger & Ross M. Greenberg


       Rosenberger can be reached electronically on CompuServe as
       [74017,1344], on GEnie as R.ROSENBERGE, on InterNet as
       `74017.1344@compuserve.com', and on various national BBS linkups.
       Greenberg can be reached electronically on MCImail and BIX and
       GEnie as `greenber', on InterNet as `greenber@ramnet.com', and on
       CompuServe as [72461,3212].

       You may give copies of this treatise to anyone if you pass it
       along unmodified and in its entirety.  We especially encourage
       antivirus vendors and book authors to bundle it with their pro-
       ducts as a public service.

       Printed publications may reprint this treatise in whole or in
       part, at no charge, if they give due credit to the authors.  For-
       profit publications must submit two copies to: Rob Rosenberger,
       P.O. Box 1115, O'Fallon, IL 62269.  Book publications need only
       submit one copy.  Non-profit publications do not have to submit
       any copies.
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